Re: More CGI Comments

Roy T. Fielding (fielding@simplon.ICS.UCI.EDU)
Sat, 08 Jan 1994 14:26:35 -0800

Rich Brandwein writes:

> After playing with CGI-based httpd servers for awhile and writing scripts
> to them, I have the following observations/questions:
> 1) If you let users export information via their UserDir
> (i.e., ~/public_html by default), how can you gracefully allow them to
> create anything that requires a shell execution without giving everyone
> write access to the cgi-bin directory or creating cgi aliases for all
> users in srm.conf?

Just prior to reading this I was looking at a local notice about login
security. Thus, my first thought was what would happen if some user
created a script which deletes (recursively) all of the files in the
invokers home directory. Since the script would be executed under the
server's user ID (I think), would the script then delete all of the
server's subdirectories?

I'm not sure what would happen (I'm damn sure I don't want to test it),
but I think this question should be considered before allowing other
users to add scripts at will.

....Roy Fielding ICS Grad Student, University of California, Irvine USA